Story of a #begBounty Hunter.

How I unveiled Nakul Mohan.

Nakul Mohan is a guy, getting lots of public attraction for his shameless activities.I was following his posts regarding bounties and SWAG.I was quite impressed with his findings “TITLE”. Most of the title he uses to define his finding are rarely having any resemblance with the traditional bugs.Here is his last few posts heading regarding bounty/SWAG:

1.phpwn: Attack on PHP sessions and random numbers Cross-Domain
2.Generic Cross-Browser Cross-Domain Theft And Posting Raw XML
3.Next Generation Clickjacking — Stroke triggered XSS and StrokeJacking
4.Persistent Cross Interface Attacks Vulnerability
5.Hibernate Query Language Injection
6.Turning XSS into Clickjacking And Popup & Focus URL Hijacking
7.Java Applet Same-Origin Policy Bypass Via HTTP Redirect

Sounds amazing? Yah! Indeed. It made me amazed too until I unveiled the curtain.

I was making an web application for one of my project.So,I decided to create a responsible disclosure page,and invited Nakul Mohan via one of my friend.
He was blazing first,he reported 11 vulnerability within 10–12 minute.
And those were:

11 Severe (!) Vulnerability Discovered by Nakul Mohan.

I would like to mention that,I kept the FPD and Login/Logout CSRF intentionally on my application.So that at least he can find something.And I acted like a well-mannered security engineer (!) to gain his trust.I talked with him,resolved the issues,asked him for reproduce those issues.And finally marked solved.
When he asked for bounty,I told him that it depends upon the decision of our panel.I also told him that I am trying to get my program into HackerOne for better crowd response.
Then he send the following, Tighten up your seat belt for the show (!):

I hope you understand the fact.Or you might be in this situation:

He forged all the pics and send me to show that other companies are “Throwing Away” money for such low severity reports.But as for my case,I got a strong point to reject him from the bounty payout.

Reply from my side after receiving those Forged Images.

Then he started Telling Lie that he didn’t forge > Accepts his misdeed > Asking for bounty > Yelling at me > BOMB my mailbox > Threatening me to write on blogs about my “Fraudulent” activities.
Here’s some snap:

Nakul Threatening me
Nakul Yelling at me!
Bombing Mailbox

He was getting out of control.So,I applied my last technique to cool him down.Interested? Go ahead :

sorry! I Lied that I paid bounty to 11 People ☹
At last he stopped!

So,if this is what going on behind the bug-bounty or responsible disclosure,I can clearly see what is the future of this industry.

The website is not fake!
It’s still on development phase and will be launched soon.We dont have ability to pay much,but at least I can secure my projects with the help of the crowd’s of hackerone/bugcrowd.
Show your support

Clapping shows how much you appreciated Tarek Siddiki’s story.